A new study looking at the various pressures on IT security professionals has found that many are on the rise,...
especially those related to dealing with the board and with having enough skilled employees.
The 2016 Security Pressures Report is the third commissioned by security and compliance vendor Trustwave Inc. Steve Kelley, Trustwave chief marketing officer, told SearchSecurity that seeing the data year-over-year helps to quantify the changes, which is important because "pressure in a lot of cases can be relative. It could be relative to the person answering the survey; it could be relative to the business you're in."
The top three items on the 2016 wish list of respondents in the survey were additional budget (33%), more security expertise/skilled employees (20%) and fewer complex technologies (15%).
Kelley said one change that seems to be affecting pressure in various ways for IT pros is more involvement from the board.
"There's much more pressure at the board level on IT security professionals than there ever has been in the past," Kelley said. "Cybersecurity has clearly shifted from being what was formerly considered an IT issue to now a board level business issue."
The report supports this conclusion in that 40% of respondents claimed to feel as much pressure before and after a board meeting as they do during a breach. Potentially related to the increased pressure from and involvement of the board in IT decisions was the finding that 74% of respondents face pressure to purchase cybersecurity products containing the latest features, despite 31% saying they lack "the adequate resources to properly adopt, deploy and use those products."
Michael Osterman, president of Osterman Research, based in Black Diamond, Wash., said this indicates "there is a mismatch between what IT is reporting to the board and what the board does with this information."
"I believe that the Trustwave finding that IT is being pressured to buy the latest technology-based solutions is driven by the fact that many board members may not fully understand all of the issues involved in events like data breaches," Osterman said, "and so make decisions based on their catching what others have dubbed the 'Do Something Disease' -- they panic and believe that the newest tech will solve their problems, not fully understanding that many IT departments are not fully or properly using the tech they already have."
Kelley also noted that purchases of cybersecurity products like this were an important factor in previous research that found the amount of technology purchased but never implemented was rising and leading to resources being wasted. This so-called shelfware problem doesn't appear to be getting better based on this new research.
Michael Ostermanpresident, Osterman Research
New cybersecurity products aren't the only operational pressure hitting IT pros. The top operational pressure was found to be advanced security threats (26%), followed by the adoption of emerging technologies (22%) and the shortage of cybersecurity expertise (14%).
"The No. 1 adversary out there is still the outsider threat that organizations are concerned about, but the next adversary is the ability to respond to those threats," Kelley said. "The more advanced the security threats are, the more sophisticated technologies and solutions organizations feel the need to have in place to combat those. And, the ability to use those speaks to the skills and resources."
Osterman said that it is crucial to find the right way to explain to the board when new cybersecurity products are needed to combat security threats and when it is more a matter of needing additional skills.
"IT needs to fully educate the board on why data breaches, malware infiltrations and other security problems occur -- many board members may not fully understand the issues involved and could use a good primer on how breaches happen and why they are not addressed earlier," Osterman said. "IT/security needs to implement the appropriate processes to deal with security violations and what to do with the information they already have, not necessarily throw the latest and great solution at the problem."
Aaron Higbee, chief technology officer and co-founder of PhishMe, noted that "attacks are human driven and defense should be, too."
"The key is having the right expertise with the right number of hours with the right technology to assist people. Defensive security technology is often preventing yesterday's attack," Higbee said. "Organizations should understand how to identify and retain their top infosec talent. The reality is adding another line item for another security engineer won't necessarily double output. In a given security team you will have outliers that are exceptionally talented. Do whatever it takes to hold onto them."
Kelley said the pressures of adopting emerging technologies was most related to enterprises adopting things like cloud or Internet of Things technologies which get implemented before proper security protocols are put in place.
"These tend to be business-enablers and perceived to be revenue-generating, and so there's always more business pressure to grow revenue faster and push these technologies out the door before they're actually confirmed to be secure," Kelley said. "I don't know that it's the board not knowing how [to handle security], but the first board-level issue is probably growing the business and then they try to figure out how to deal with it from there. And, we're seeing there's a disconnect between that aggressiveness not being balanced by security."
Osterman agreed that when it comes to security "many decision-makers are much more reactive than proactive and are willing to spend lots of money to remediate problems after a problem occurs." He said IT managers need to learn how to better explain the problem to board members.
"I believe that hammering home the consequences of poor security practices and solutions through numerous case studies can be helpful in driving home the idea that security must be the top priority," Osterman said. "The key, in my opinion, is to personalize the experiences of others so that board members move from understanding security breaches as a theoretical exercise to a more practical understanding of why security must be a paramount consideration."
The survey suggests that IT professionals believe hiring more skilled workers is a potential solution to some of these issues, because 87% of respondents said they would want to at least double the size of their security staff, which is up 3% from last year. Unfortunately, the shortage of security expertise also rose from the eighth-biggest operational pressure facing security pros to the third-biggest, according to the survey.
Eric Chiu, president and co-founder of HyTrust, said this skills gap is something that can't be overcome easily. He suggests that enterprises with major skills gaps could consider using a managed security service provider rather than taking on these security challenges alone, because MSSPs aren't as susceptible to the skills gap.
"The expertise and number of resources that a managed services provider offers can help close the skill gap for an organization that may not be able to staff to the resource level that is needed," Chiu said. "It is not a short-term fix for a staff shortage but part of a longer term security strategy. Because a managed services provider may see attack trends and broader scale patterns of attacks and also have good tools to monitor activity, they are able to take advantage of one-to-many model."
Kelley said it is this "one-to-many model" that allows MSSPs to reach critical mass in a number of areas.
"The critical mass can help with threat intelligence," Kelley said. "The ability to monitor hundreds of thousands of organizations rather than tens of organizations is going to give much better insight into security threats and the security landscape than a smaller provider. In addition to that, the critical mass of the global provider allows and enables for around-the-clock security monitoring, so you can get more cost-effective security resources from around the globe rather than doing it on a local basis."
Learn how to evaluate MSSP security before taking the plunge.
How can enterprises manage the cybersecurity skills gap?
See the rise of super-contractors in the face of a widening IT skills gap.
Stimulate growth in the IT profession with resilience